On 9/14/10 4:40 PM, Tom Eastep wrote: > On 9/14/10 3:37 PM, Mr Dash Four wrote: >> >>> There's more to it. 'blacklist' is not a zone attribute. It is a >>> host-group attribute( See shorewall-hosts(5) ). I regret that it was >>> initially implemented that way but it was and I need to maintain >>> compatibility. >>> >> OK, I applied the patch, checked and had eth0_out with 'blackout' as the >> first ref. entry and in it I had the blacklisted ipsets as expected. Did >> a dry run and tried to connect to a blacklisted address and it worked. >> Now for the confusing bits: >> >> eth0 in 'interfaces' has 'blacklist' option set (NO numbers). So, >> according to shorewall-interfaces I wouldn't be allowed to use >> blacklisted features on packets originating from that interface, but as >> you can read above - it works. >> >> The whole thing is VERY confusing - I should have at least some sort of >> 'fool-proof' system in place, which should prevent me from using daft >> combinations like selecting blacklist=1 and then using the "to" option >> in the blacklist file and vice versa. > > That's not daft. It is very reasonable. > > Please read the man page again. And also please note that during Betas > (especially), the latest documentation is always available at > http://ipv6.shorewall.net/Documentation.html (has an A record as well as > AAAA).
Hopefully this will help. Here's a simple example of a two-interface Shorewall box. /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect ...,blacklist=1 loc eth1 detect ...,blacklist=2 /etc/shorewall/blacklist: #ADDRESS PROTO PORT(S) OPTIONS 1.2.3.4 - - to,from So eth0 is the internet-facing interface and eth1 is local. -A INPUT -j accounting -A INPUT -m conntrack --ctstate NEW,INVALID -j dynamic -A INPUT -i eth0 -j net2fw ... -A net2fw -m conntrack --ctstate NEW,INVALID -j blacklst So packets from the net addressed to the firewall go through 'blacklst'. -A FORWARD -j accounting -A FORWARD -m conntrack --ctstate NEW,INVALID -j dynamic -A FORWARD -i eth0 -o eth1 -j net2loc -A FORWARD -i eth1 -o eth0 -j loc2net ... -A net2loc -m conntrack --ctstate NEW,INVALID -j blacklst So packets from the net addressed to local hosts go through 'blacklst'. -A loc2net -m conntrack --ctstate NEW,INVALID -j blackout So packets from the local net address to Internet hosts go through 'blackout'. -A OUTPUT -j accounting -A OUTPUT -o eth0 -j eth0_out ... -A eth0_out -m conntrack --ctstate NEW,INVALID -j blackout So packets originating on the firewall and going out eth0 are passed through 'blackout'. -A blacklst -s 1.2.3.4 -j DROP -A blackout -d 1.2.3.4 -j DROP So 'blacklst' drops packets from 1.2.3.4 and 'blackout' drops packets to 1.2.3.4. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
